locks keep lawful people out...    

The Security Skeptic

Dave Piscitello's Security Weblog

Skeptic (sceptic): a person inclined to question or doubt accepted opinions.

Web www.corecom.com The Security Skeptic
Mon, 20 Jul 2009 00:00:00 00, 736
Spyware and malware pages revisited

Nothing forces me to bone up on advances in detection and removal than being sucked into an incident involving viruses and malware. My daughter allowed the gratis antivirus subscription for her new laptop to lapse. To her credit, she did keep current with her antispyware, but to no avail. Now she knows that she needs both malware and virus protection.

There are always two recourses when confronted with malware- and virus-infected machines. The first is to detect and remediate, and the second is to wipe and reinstall the operating system and applications from original media or ghosted image (colleague Joe St. Sauver refers to this as the "nuke-and-pave" option). My experience is that the former can take 5-8 hours with no guarantee of success, whereas the nuclear option typically takes me 2 hours. Mileage when restoring images clearly varies depending on number and type of applications installed, the time you invested when you ghosted an image, the potential for loss of data, updates and changes to your application mix, so consider carefully when choosing your poison.

Nuke-and-pave can be a tough pill to swallow but in this case the lappie was relatively new. Still, my daughter handed me her lappie in tears the evening before she was leaving for a three week program at University of Virginia's Young Writers Workshop (where her lappie would be essential), worried that she'd lose her music, workshop writing assignments, and more. Nuke-and-pave is not a hero's recourse and I was clearly being asked to play hero:-)

I pulled out my install CD of detection and remediation software and quickly concluded that many programs were out of date. I contacted some colleagues, who identified several programs I had not tried, including Malware Bytes antimalware (MBAM) and Secunia's Personal Software Inspector. Using these along with ccleaner and 3 antivirus software, I was partly successful: while I was able to clean up her machine to the point where I was confident I could safely copy her data files to a USB drive, I still had problems with some sticky startup files. Given another few hours, I would have doggedly pursued the startup problem, but I was running out of time so I nuked her lappie, restored to factory image, installed new antivirus and antimalware software, and scanned the USB drive again before restoring her files. It's running fine again, and she's had a great experience at U VA.

An unintended consequence of this incident is that I decided it was past time for me to update my spyware and antispyware software pages. I spent some time reading more recent articles and testing additional antimalware freeware. I've marked all the recent additions with a thumbnail image "new". Enjoy and happy reading! Also, kudos and thanks to Joe St. Sauver and Josh Bierman for helpful pointers to many of the useful software now listed on my pages.

Archived at http://www.securityskeptic.com/arc20090701.htm#BlogID736 by Dave Piscitello  

Thu, 21 May 2009 00:00:00 00, 730
Global Phishing Survey: Domain Name Use and Trends in 2H2008

Colleagues Greg Aaron and Rod Rasmussen hit another home run with the latest version of the bi-annual APWG study on global phishing trends. The report, Global Phishing Survey: Domain Name Use and Trends in 2H2008, uses data from various phish reporting and monitoring sources. Combined, these sources provide a more accurate assessment of phishing and e-criminal activity than the reports that anti-malware companies are able to generate based on monitoring of customer PCs and user behavior.

Major findings include (from the report):

  • Phishers are increasingly using subdomain services to host and manage their phishing sites. Phishers use such services almost as often as they register domain names. And such attacks even account for the majority of phishing attacks in certain large TLDs. This trend shows phishers migrating to services that cannot be taken down by registrars or registry operators, thereby frustrating some takedowns and extending the uptimes of attacks.
  • Phishers continue to target specific Top-Level Domains (TLDs) and specific domain name registrars, and shift their preferences over time. 2H2008 demonstrated what can happen to registries and registrars who are not prepared to combat phishing with effective policies and procedures.
  • The amount of Internet names and numbers used for phishing has remained fairly steady over the past two years.
  • Anti-phishing programs implemented by domain name registries can have a remarkable effect on the up-times (durations) of phishing attacks.
  • There are decreases in phishing on IP addresses and the use of brand names in domain names to fool users. Phishers are not using IDNs (Internationalized Domain Names).

I recommend this report to anyone in the ICANN and domainer community who doesn't believe that dealing with phishing is within the remit of ICANN or the ICANN community. Greg and Rod identify the most frequently phished top level domains and rank the TLDs using a metric that fairly assesses phishing per 10,000 domains rather than purely by total phishing domains reported.

Another statistic from this report that I think merits consideration as a major finding is that phishing most often takes place on compromised Web servers. Greg and Rod found that "up to 81% of the domains used for phishing were compromised or hacked domains", explaining that "Phishing on a compromised Web site typically takes place on a subdomain or in a subdirectory, where the phish is not easily noticed by the site’s operator or visitors." Such sites are also *sticky* in the sense that there is legitimate content and purpose hosted at this domain and suspending the domain name would affect the domain owner.

This is an extraordinarily bad figure. For the victims of the over 24,000 phishing attacks involving compromised servers, Suzie Clarke and I recommend an APWG report we published several months ago entitled What to do if your web site has been hacked. It appears we need to write a report on how to secure web sites against hacks as well.

Archived at http://www.securityskeptic.com/arc20090501.htm#BlogID730 by Dave Piscitello  

Wed, 20 May 2009 00:00:00 00, 729
APWG 2H2008 Phishing Activity Trends Report

If you are looking for credible phishing statistics, try the APWG 2H2008 Phishing Activity Trends Report. Examples of the type of information you can glean from these reports follow:

  • The number of unique keyloggers and crimeware oriented malicious applications rose to an all time high in July.
  • Unique phishing websites detected by APWG during the second half of 2008 saw a constant increase from July with October.
  • The number of phishing attacks against payment services increased more than 34 percent between Q3 and Q4.
  • Financial Services continues to be the most targeted industry sector and attacks against payment services are increasing
  • The United States continues to be the country hosting the most phishing sites, but Sweden occupied the top spot for one month.
  • The United States also leads in hosting malicious code in the form of either a phishing based trojans or downloaders that install keyloggers, but Spain occupied the top spot for one month.

The combined effect of the McColo takedown and the coordinated operational response to the Conficker worm may have contributed to a a drop off in the number of phishing sites detected during the end of the quarter to the lowest number detected since August 2006..

Archived at http://www.securityskeptic.com/arc20090501.htm#BlogID729 by Dave Piscitello  

Mon, 27 Apr 2009 00:00:00 00, 726
Antiphishing messages: good for youth web sites, good for enterprises

My daughter's enjoyed many *safe* hours on Gaia Online, an anime-themed social networking and forums-based website. The folks who operate Gaia Online do a laudable job of keeping content and conversation age-appropriate (it's not perfect, but it's better than the average social network by a long shot). Another reason to toss kudos at Gaia Online is that they take user account management and the ever present phishing threat seriously.

You may ask, "what could I possibly steal at Gaia?" MMORPGs typically allow players to accumulate in-game loot and gold; in some cases, special items can be purchased using credit cards or PayPal. Stealing an identity in virtual worlds is a real threat and can become as life-interfering a threat in this context and to youth and teens as a successful identity theft from a financial institution.

Gaia makes an earnest effort to combat this threat through user education. A good example is reproduced below:

Consider this example carefully. The message is clear: phishers want your account information! It's presented in the anime context that Gaia users will pause to read. This is an important aspect of antiphishing messaging that is often lost in the enterprise. Sending uninspiring email messages or displaying the same antiphishing "message of the day" at a Wiki may not be the wisest strategy if you want to impress your audience. Try a cartoon, something age appropriate, from Dilbert or any cartoonist who's popular among employees in your company. Be creative: use Adobe Photoshop to add your phishing education message in callouts to photos of employees and executives (with approval of course). Including executives sends a twofold message: they are as vulnerable and they recognize the threat as well. And it never hurts to show employees that senior management has a sense of humor and is willing to engage with employees.

Archived at http://www.securityskeptic.com/arc20090401.htm#BlogID726 by Dave Piscitello  

Fri, 06 Feb 2009 00:00:00 00, 717
APWG Report: What to do if your web site is hacked by phishers

I co-authored this report with Suzy Clarke of ASB Bank to serve as a reference guide for any web site owner or operator who suspects, discovers, or receives notification that it's web site is being used to host a phishing site. The report explains important incident response measures to take in the areas of identification, notification, containments, recovery, restoration and follow-up when an attack is suspected or confirmed. The report provides a framework for response and highlights key actions for each stage of incident response. We do not attempt to provide an exhaustive list of actions but offer sufficient examples for seasoned web operators whilst not overwhelming readers who are less familiar with (and hence more vulnerable) to incident response following web attacks.

For a copy, click here.

Archived at http://www.securityskeptic.com/arc20090201.htm#BlogID717 by Dave Piscitello  

Mon, 17 Nov 2008 00:00:00 00, 712
Making Waves in the Phishers’ Safest Harbors

Rod Rasmussen and I collaborated to publish an APWG Advisory that describes how phishers use subdomain registries to provide safe harbors for malicious and criminal activities. A subdomain registry is a naming service web hosting providers offer to customers. The provider allows customers to register a subdomain from one of its own registered domains as part of a hosting service package. Customers to choose a label (name) from the parent domain. The general structure for names of this kind is:


For example, if the web hosting company has registered the domain freewebhosting.com, a customer could register securityskeptic.freewebhosting.com, Paypal.freewebhosting.com, BankofAmerica.freewebhosting.com...

But wait, would some of those names infringe on a brand? And couldn't someone use such a site to impersonate a brand and phish for accounts from such a site? They can indeed, and the practice is becoming widespread and difficult to contain.

Our advisory examines this unintended consequence of spinning one's own registry by largely well intentioned free web hosting providers, and also discusses measures individuals and organizations can consider if they opt to make these harbors less attractive and effective to phishers.

See Making Waves in the Phishers' Safest Harbors: Exposing the Dark Side of Subdomain Registries at APWG.COM.

Archived at http://www.securityskeptic.com/arc20081101.htm#BlogID712 by Dave Piscitello  

Wed, 12 Nov 2008 00:00:00 00, 711
Phlavors of Phishing

I still recall my first visit to a Baskin Robbins Ice Cream Parlor. Some of you no doubt recall your own awe and anticipation when presented with the opportunity to choose from 31 flavors of ice cream! Fifty years later, and I feel angst and trepidation when I confront the imposing numbers of phlavors of phishing.

Phishing is commonly associated with financial scams and identity theft. As I scanned nearly six months of mail posted to an antiphishing list, I noticed how broad the phishing reach has extended. Sifting through five months' worth of posts and several weeks worth of URLs listed at PhishTank, I found at least one phishing attack notification and multiple targets in the following categories:

  • Financial scams/Identity theft. The list of banks attacked illustrates that financial institutions of all sizes and kinds are in play: Abbey, Alliance, Barclays, Chase, Citigroup, Colonial, commerce, Compass, Farmers State, Franklin, Halifax, HSBC, Home Valley, Leicester, Lloyds, NatWest,Ocean, State Farm, Synergy, UniCredit Banca di Roma, Wells Fargo,...

  • Bank scams that use fake security certificates. In attacks against Wachovia and Bank of America, phishers used bogus digital certificates to convince visitors that the site is SSL-protected.

  • Domain name authority impersonations. Phishers used anticipated correspondence (e.g., annual Whois accuracy reporting, account verification) from ICANN, eNom, Network Solutions, Netsons (reseller) to convince users to disclose login information for domain name account management.

  • Government agency impersonations. Phishers impersonated US IRS eFile and Her Majesty's Revenue and Customs, and the FTC to obtain social security IDs and other personal information.

  • Fee/Deposit scams. Phishers still lure victims with various state and national lotteries, and other 419/Nigerian scams, and now customize these with phony contests run by recognizable brands like Pepsi.

  • Banner and pay per click ads. Phishers replicated landing pages and altered Google Adsense and AdWords on these pages to divert PPC revenue from Google customers to accounts they control directly or through mules.

  • Software scams. Impersonating Microsoft, antivirus companies (AntiVir, McAfee), and open source developers (Joomla!), phishers lured victims into downloading malware instead of patches, virus definitions, and executable binaries.

  • Political contribution scams: Obama and McCain

  • eMerchants: The major eMerchants (eBay, PayPal, Amazon.com) remain prime targets for phishers, but smaller (Big 5 Sporting Goods, Shopping.com) are targets now as well.

  • Online payment services: Phishers remain very interested in hijackingPayPal, MoneyBookers, and Cahoot accounts.

  • VoIP Service hijacking: Vonage is primary target for enticing customers into downloading malware that purports to optimize your VoIP service. Account hijacking was also popular.

  • Online Pharmaceuticals. I found hundreds of domains hosting sites that sell prescription meds without prescriptions. They are inherently illegal, so phishers don't need to impersonate a Pharmacy brand.

  • Airline rewards programs: AAdvantage was phished using a $50 award for completing a survey that included numerous questions seeking personal and financial information.

  • Social Networks. Phishers targeted Facebook, Hi5, Classmates.com, SinglesNet.com, Habbo, and HabboTeen accounts. I could have listed a dozen more if I could read Cyrillic, Korean, Chinese, and Japanese. These are great resources for hosting malware and to send spam.

  • Sharing sites. account grabbersFlickr, Myfavoritetube.net, YouTube, Yahoo! Photos

  • Blogs. Geocities and BlogSpot are reputed to be the hottest spots for hosting malware. The phish email notices I found corroborate this claim.

  • email accounts: Gmail, MSN, and Yahoo! email accounts are valued by phishers because they can be used to spam or to collect stolen credentials they obtain from impersonation web sites.

  • List, messenger, and contact managers. Phishers cast their nets to any account they can compromise, from the "remove my email address from your list" managers to sites such as Twitter,CheckMessenger3, MeetYourMessenger, Messenger FX that enhance or extend the reach of instant messaging.

If I were a phishing behavior analyst, I might profile a formidable phishing "unsub" as follows. The unsub attacks any financial, merchant or social networking venue that he believes will eventually lead to money or resources. He explores any and all means available to obtain personal information and account logins. The unsub is interested in any account. He relies on the inherent laziness of Internet users who use the same names and passwords for many if not all of the web accounts they create. He is patient, willing to sort and correlate information from multiple, successful attacks against an individual to land a whale, an individual with a fat online banking account and sloppy Internet habits, to gain administrative control over a portfolio of domain names that he can use to make money via subsequent phishing attacks, or to sell in the underground market to other unsubs.He is elusive, and criminally clever.

If you don't want to be the next unsub's victim, take measures to protect all your online accounts. Don't use short, simple passwords. Don't use the same username and password for every account you create on the web. Don't publish information on social networks, blogs, and wikis that provide clues the unsub can collectively use to identify you. Imagine the kind of information you would hesitate to share with a stranger and exercise the same caution in your virtual world as you would in the real world.

Archived at http://www.securityskeptic.com/arc20081101.htm#BlogID711 by Dave Piscitello  

Sun, 31 Aug 2008 00:00:00 00, 702
Variations on a theme - ICANN Impersonation

My ICANN SSAC committee published an advisory in June describing how phishers were impersonating domain name registrars and resellers. A registrar-impersonating phisher tries to lure a registrar's customer to a bogus copy of the registrar's customer login page. If the bogus registration page is a convincing one, the customer may unwittingly disclose his account credentials. The phisher will then use these credentials to modify or assume ownership of the customer's domain names.

Phishers use an anticipated correspondence from registrars and resellers as the lure, such as a domain name order confirmation, DNS modification confirmations and WHOIS data accuracy reminders. In some cases, it appears that phishers will attempt to impersonate ICANN rather than registrars or resellers.

Here's a sample of a recent phishing attack where the phisher attempted to impersonate ICANN:

From: ICANN [mailto:icann at icannresolve dot com]

Sent: Tuesday, June 24, 2008 12:22 AM


Subject: ICANN - Domain Upgrade Notice

Dear Domain Account Holder,

You are being sent this notice from ICANN due to the fact that you

currently own an active domain name. ICANN is currently upgrading all

domains from their registry database.

The upgrade will introduce new control options for your domain and

easier access. The new upgrade is required by the registry. All domain

users are expected to submit their domain information manually at

http://www dot icannresolve dot com/email/link.php?M=27952&N=5&L=1&F=T with the

required information for ICANN to apply the required updates.

The upgrades will be applied to accounts on a first come, first serve

basis. You have until July 25, 2008 to submit the required information

to avoid service and domain interruption.

Thank you for your time.



ICANN.org Resolutions Department

This turned out to be a rather pheeble phish attempt. Domain portfolio holders who recognize the name ICANN are most likely to detect that this message is bogus. Those domain name holders who don't recognize ICANN would have been more likely to fall prey to this attack if the phisher had impersonated an ICANN-Accredited Registrar. A recipient of this scam message who did visit the embedded link would have landed on the following forms page:

This page is not a domain account management page but a faked copy of the ICANN Paris Meeting registration page.

If only all phishers were this lame. Sadly, as lame as this attack seems, some recipients were duped into disclosing all the information requested at the hoax site.

Archived at http://www.securityskeptic.com/arc20080801.htm#BlogID702 by Dave Piscitello  

Tue, 15 Jul 2008 00:00:00 00, 698
FTC on Phishing: Education is a Key Tool

The FTC has released a report on a Roundtable discussion on Phishing Education held April 1st 2008. Yes, at first I was suspicious that this might be a hoax...

The panelists confirmed what I and many of my antiphishing working group colleagues have said for some time: phishing is mostly about social engineering and little about technology. It's good news that the antiphishing community is rallying around this theme, and even better that they point to ISPs and others who use redirection and landing pages as "teachable moments" for phishing education as role models.

How does this work? Typically, once a domain or web site has been identified as a phishing site, ISPs, registrars, etc. take down that site. In many cases, the ISP, hosting company, or even a DNS operator wil have an opportunity to redirect a usr's request for that page to an alternate web page called a landing page. Instead of having this landing page say "URL not found", the education pages says, "The web page you attempted to visit was suspended because it was a phishing site. Lucky you, we've disabled that site. Since you were tricked into visiting here, please read the following information and learn how to avoid doing this again. You may not be lucky twice..." The APWG working on just such a redirect page. Some ISPs and organizations have developed their own (1). IMO, this is a much better service to the community than the self-serving practice of error resolution.

An important part of the education provided at such pages and in training videos and sessions elsewhere is to emphasize how adept phishers have become at personalizing phish emails. Phishers commonly gather information to make their email impersonation of a brand like eBay or a bank look very real. This is old news. They now gather information from browser histories, public databases (WHOIS), etc., to personalize the email. Increasingly, you, the average Internet user, will receive email from "familiar faces". Not just any bank, but your bank. Not just any retailer, but retailers whom you've opted-in to routinely receive emails with sales and special offers. Phishers also target individuals who are likely to have considerable personal wealth: called spear-phishing, the attacker will target all the officers and board members of a corporation. These are the "whales" in the sea of targets they phish. Owners and officers of mall and medium businesses are just as vulnerable as large corporations, perhaps more so since they not have staff, technology and expertise in-house to educate and protect them. Discussing ways to make users aware of these and other new munitions in the phishers' arsenals is a very useful exercise and the FTC should continue to foster this sort of dialogue.

The FTC report itself is relatively brief, essentially a meeting report. But the messages highlighted in the summary are worth reading. Look for the report at http://www.ftc.gov/reports/index.shtm.

Archived at http://www.securityskeptic.com/arc20080701.htm#BlogID698 by Dave Piscitello  

Thu, 12 Jun 2008 00:00:00 00, 694
Global Phishing statistics: multiple looks

The APWG has published its Global Phishing Survey: Domain Name Use and Trends in 2007. This report examines many phishing trends. The most interesting may well be the distribution of domains used by phishers according to generic and country code top level domain and the most worrisome may be the increased use of subdomain providers for phishing.

One reason why the APWG phishing survey is interesting is that it arrives at very different conclusions from McAfee's second annual "Map the Malweb" study. McAffee's lists (in order) Hong Kong, the People's Republic of China, Phillipines, Romania and Russia as the "most dangerous domains to surf and search on the web" and (in order) Finland, Japan, Norway, Slovenia, and Colombia as the safest.

Sidebar: I have a hard time wrapping my head around any phrase that includes "Colombia" and "safest" in the context of criminal activites, don't you? My immediate reaction was to Google "Colombia safest". Not surprisingly, I learned that Colombia's murder rate in 2003-2004 was nine times that of the U.S. and that Colombia is the ransom kidnapping capital of the world. Factor in drug trafficking and it's pretty clear few miscreants in that country have the time or patience to do e-crimes.

APWG's study uses an interesting metric - Phishing Domains per 10,000 - to assess whether one TLD has a higher or lower incidence of phishing relative to other TLDs. Applying this metric, APWG's top five are Hong Kong, Thailand, Liechtenstein, Romania and Chile. Among the safest TLDs you'll find European Union, United Kingdom, Germany, Argentina and Sweden.

The most curious result? McAfee ranks the INFO as the most risky generic TLD whereas APWG's metric ranks them as the safest.

Different metrics, data, measurement periods appear to contribute to the disparities in results. However, APWG casts a narrower net, including only domains that were proven to be associated with a phishing incident. McAfee's study web sites that contained adware, spyware, viruses, spam, excessive pop-ups, browser exploits or links to other risky sites in its "dangerous domains". Neither offer a glowing report, but no one I know would believe one if it were published :-O

Archived at http://www.securityskeptic.com/arc20080601.htm#BlogID694 by Dave Piscitello  

Fri, 21 Mar 2008 00:00:00 00, 679
The Privacy Toolbox

The Privacy Toolbox offers a list of 100 resources and guides to help users protect consumer and business identities and sensitive information. Toolbox is something of a misnomer. This is really a resources page - a good one, mind you - with links to guides that discuss all matters related to privacy, including how to protect your US Social Security number, how to freeze your credit rating should you suspect your identity has been stolen, how to remain anonymous when surfing, and how to complete obligatory web forms without disclosing your personal information (see 5 Disposable Web Accounts to Keep Your Identity Safe, brilliant!). Toolbox lists privacy related blogs, applications that cater to anonymity, confidentiality, and the protection of sensitive, personal information and sites where you can opt out of unsolicited credit card offers (visit OptOutPrescreen.com). Find the Privacy Toolbox here.

Archived at http://www.securityskeptic.com/arc20080301.htm#BlogID679 by Dave Piscitello  

Fri, 11 Jan 2008 00:00:00 00, 666
A simple test to detect a phishing or scam site

Suppose you attempt to to purchase a product with a credit card on a site you've never visited before. You find the product you want, add it to your cart, and proceed to checkout.

You connect with HTTPS:// for that warm and comfy feeling everyone gets when they begin a *secure transaction*,-) But - oh my! - your browser warns you that some aspect of the certificate is suspicious; for example, the name of the server does not match the name in the server's certificate. This sometimes occurs when a company issues certificates from its own certificate authority, and that authority is not included in your browser's built-in list of trusted authority store. A similar warning may pop up if an e-merchant's certificate lifetime has expired. At this point, you can conclude that the merchant's web administration is possibly lax but the merchant may be reputable.

You are now faced with several choices. Abandon the purchase or restore your shaken confidence in this merchant by inspecting the certificate. If you choose the latter, and before you click on the popup that says, "yes, accept this certificate, get out of my face", you might want to try this.

Complete the checkout form, but fill in some of the personal and credit card fields with incorrect data; in particular, provide an incorrect credit card number. If the merchant accepts the purchase, you probably shouldn't trust the site and you ought to report the site to an antiphishing group. If the site tells you that the credit card (and personal) information is incorrect, try again, you can feel better about proceeding with the transaction.

This check is no guarantee against a very sophisticated deception. If you are uncertain, and especially if the buying opportunity is too good to resist, be suspicious and abandon the transaction.

Archived at http://www.securityskeptic.com/arc20080101.htm#BlogID666 by Dave Piscitello  

Tue, 16 Oct 2007 00:00:00 00, 655
Yet another phishing target: Domain Name Registrars

A recent post to an anti-phishing mailing list identified this clever and evil attack against domain name registrants. The attack exploits domain name renewal notice emails that registrars send to registrants. The attack uses similar social engineering and deception techniques as those used in identity theft and other phishing attacks. From the post...

"Phishing attacks against registrars allow for take-over of legitimate domain management accounts for use in future ROCK attacks - either through control of existing legitimate domains or via registration of new ROCK domains on an account that the registrar "trusts" since it's been used for valid purposes over a long period of time. With a domain take-over, you can reconfigure DNS to still work for the "real" site, while wild-carding all other host names - much the same way the ROCK group already operates, so take-down will be slowed considerably since the domain itself can't be deleted."

If I interpret this post correctly, the attacker (in this case, the notorious ROCK phishing group) proceeds as follows:

  1. Use the WHOIS service to obtain the registrant's email contact information *and* the registrar for a domain name(s).

  2. Set up a bogus registrar phishing site

  3. Compose a renewal email that appears to be from the registrar and send this to the email contacts for the domain name(s).

  4. Wait for registrants to fall prey to the deception.

  5. When the registrant visits the bogus registrar web site, collect the registrant's account credentials via a bogus login page.

  6. Use the collected account credentials to alter the registration record, i.e., to hijack the domain name or name service.

  7. Use the domain name for illegal activities.

Once the attacker has control of the domain, he can attempt all sorts of illegal activities. The attacker can launch an attack against the domain itself (he controls the name service!); as colleague Danny McPherson of Arbor Networks points out, he can proxy or create a deception site at that domain name, insert an iframe, incorporate a BHO or other malware download to infect a visitor's PC. Or he can use the hijacked domains to facilitate fast flux attacks.

To conceal the illegal activities, the attacker will add records to the domain's legitimate zone file rather than replace the zone entirely to improve the odds that the hijacking may not be discovered quickly. This form of domain hijacking allows fast flux attackers to conceal the location of their illegal web sites even longer than before, and complicates takedown procedures that first responders and law enforcement might initiate because the domain name is not only used to abet phishing but to support the real business needs of the registrant that fell victim to the phishing attack and is thus not easily deleted from the TLD zone file.

It turns out that several of my domains are up for renewal. You can be certain that I paid close attention to each renewal email from my registrar and followed the widely recommended "safe practices" when opening and reading email. Read my Anti-Phishing page f and visit the Anti-Phishing Working Group or more information

Archived at http://www.securityskeptic.com/arc20071001.htm#BlogID655 by Dave Piscitello  

Wed, 05 Sep 2007 00:00:00 00, 647
Is FRED a good security system?

I read James Gaskin's column, The Fred Security System: Improve security for zero dollars with some interest and of course skepticism:-) Jim proposes that every company have a "Fred", a reasonably smart and suitably trained individual to whom email attachments can be forwarded for inspection. Fred uses his antivirus, anti-phishing and anti-spyware savvy and his amply fortified workstation to ferret out malicious email payloads and attachments that possibly adds a level of malware protection without increasing your budget.

My experience with Freds is that they don't always pan out the way Jim suggests. I've met lots of Freds. I call them Bob. But for now, let's stick with Fred.

I'm OK with educating users on the dangers of malware. I'm OK with giving users who show some savvy a reasonable set of malware detection tools. And I think that in very small businesses, having a Fred is a reasonable idea as long as the small business can escalate the problem beyond Fred to a competent, affordable, and trustworthy 3rd party. I have several reservations, based on experiences with Freds in businesses small, medium, and large.

Fred is not 24x7 available. Fred's inspection capabilities and breadth of knowledge regarding malware are more limited than any automated system such as an email security proxy or Unified Threat Management appliance. Most importantly, Fred can't keep current with the insane pace and variation of malware attacks. Unless Fred is seriously over-qualified for his role, I speculate that Fred entirely ill-prepared to deal with never-before-seen or 0-day attacks (I hate this term, BTW).

My experience is that Fred is not zero-cost. Fred is being paid, ostensibly to satisfy a role other than malware ferret. Hours Fred devotes to ferreting out malware don't appear in the security budget but affect productivity elsewhere. This is security through budget obscurity. It's also my experience that Fred doesn't scale. One Fred can perhaps deal with malware in an office of 10-25, but how many Freds will you need for an office of 50, 100, 1000?

I suspect that if you study costs carefully, you'll find that even a single Fred costs more than the gateway antispam inspection software that even SMB/SOHO firewalls and unified threat management (UTM) appliances cost today. I'll venture that you could buy a Watchguard, SonicWall or Netscreen UTM with annual subscription for virus/spam/IPS definitions probably for than the cost of buying Fred lunch for 6-8 months (possibly depends on how much Fred eats).

Will a malware gateway/UTM improve security without increasing your budget? Of course not, nor will it break your budget.

One last life-lesson regarding Freds. All my SMB consulting is pro bono or deeply discounted as favors to friends, schools, and parishes. In all these networks, I find Freds. The difficulties I've experienced when dealing with nearly all Freds (or cleaning up after them) is that they cannot resist opportunities to play sys admin. They read about a registry setting and can't wait to change it on everyone's system. They read about secure browser settings, run to every novice's desktop and rejoice in having made the network a safer place. They wreck havoc on innocents who find that they can't use their browser as they've been taught, who encounter errors they don't understand, who learn to lock their offices to keep Fred at bay, and who roll their eyes when the consultant comes in to remedy wounds Fred has inflicted.

User Freds as you would a topical cream for a rash or insect bite: apply in small doses, monitor carefully, and never conclude it is an effective substitute for a physician's knowledge and expertise. If you want a Fred rather than a UTM appliance, however, you may as well train Fred to be a sys admin because that's what he'll very likely try to be.

Archived at http://www.securityskeptic.com/arc20070901.htm#BlogID647 by Dave Piscitello  

Mon, 09 Jul 2007 00:00:00 00, 629
Blocking executables on Windows XP

Colleague and friend Marcus Ranum wrote a really interesting article and review of executable control software for Windows XP. The article, Execution Control: Death to Antivirus, documents Marcus' long struggle to deal with malware on Windows XP. In typical Ranum fashion, Marcus delivers one scathing criticism and condemnation of vested self interest after another as he explains why he punted Norton AV from his security software inventory, how he began hunting for a "default deny" approach to managing executables on his personal computers, how the honeymoons with two commercial products ended in divorce, and how he finally found a freeware soul mate in the form of ExeLockdown from Horizon Data Sys, Inc..

Unfortunately, while Marcus has found a security soul mate, the rest of us won't be so fortunate. I visited Horizon DataSys to download a copy of the freeware and it's no longer available. I used the real time chat to ask a company rep why it was no longer available and he explained that "we are creating a better version that will work in enterprise environments as well as Vista. The old version was offered as freeware and was more of a support issue without any revenue."

While I can't blame a company for wanting to earn a profit and focus support on for fee products, it's hard to understand why they can't leave the freeware available for users sophisticated enough to use it without support. I also can't fathom how any company that has the good fortune to get as respected an authority as Marcus Ranum to write something positive about its product would "leave the money on the table" by taking the product out of circulation. Isn't it possible that the cachet a company earns from word of mouth like, "oh, yeah, that's the company that has that neat execution control program Marcus wrote about" is worth a token support effort for a freeware program? Some day, someone will explain marketing to me.

Archived at http://www.securityskeptic.com/arc20070701.htm#BlogID629 by Dave Piscitello  

Thu, 05 Jul 2007 00:00:00 00, 626
Lost and Found: Antispyware articles from SecurityPipeline

While updating my antispyware resources pages, I discovered that the hyperlinks to articles I'd written for SecurityPipeline were redirected to DarkReading.com. I contacted the editors, who explained that Security Pipeline's content was not carried over to the new

publishing platform when Dark Reading was created. Dark Reading's editor, Tim Wilson, did grant me permission to publish these articles at Core Competence's site, and you can now find the following articles here at the Security Skeptic:

I also took the opportunity to update the Spyware resources pages and have added several recent articles, reviews and recommendations for antispyware freeware.

Archived at http://www.securityskeptic.com/arc20070701.htm#BlogID626 by Dave Piscitello  

Mon, 04 Jun 2007 00:00:00 00, 621
Add CAPTCHA to your web site

One of the most commonly email harvesting methods used by spammers is spambotting, where automated software is used to search web sites and harvest email addresses. For a while, many folks tried to thwart harvesting by what I'll call @ avoidance, i.e., including an email address in a format such as user [at] domain. Spambots are now sophisticated enough to search for this and other permutations of email addresses.

If you must post your email address on web pages, a better method is to add CAPTCHA-based email protection. A CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) program creates a test or challenge a human being can correctly answer but that a spambot cannot. The most commonly used CAPTCHA technique is one where a user must type words that have been displayed, often in a distorted form. Another for, ESP-PIX, presents the user with a set of images and the user must identify an object that is common to the displayed set.

Some wonderful folks at Carnegie Mellon University provide a simple means to add CAPTCHA to your web site. Visit The reCAPTCHA Project to generate HTML to CAPTCHA-proect your email address. Enter your email address in the reCAPTCHA Mailhide form, cut-paste-customize the HTML, and include wherever you publish your email address.

For example, my blog pages no longer include mailto: HTML statements. Instead, I've included a hyperlink in my left navigation bar. Click on that link and you'll be challenged in this manner:

Answer correctly and you'll see

My email address is pretty much out in the wild, but I'm adding it on my site to illustrate a point and hopefully help others mitigate spam.

Archived at http://www.securityskeptic.com/arc20070601.htm#BlogID621 by Dave Piscitello  

Thu, 10 May 2007 00:00:00 00, 612
As promised, some new recommendations for antispyware

In BlogID608 I mentioned IT Security's 103 Free Security Applications, and promised to test and review some of these. As promised...

Spyware Terminator is a very nice and complete antimalware package. At first, I was hesitant to even install this package because I recalled a similarly named scamware product, Spyware X-Terminator. After poking around other antispyware and malware info-sites, I sorted through the conflicting opinions and misinformation before concluding these were indeed different packages.

Spyware Terminator provides real-time protection, spyware removal and quarantine. Spyware Terminator provides two levels of scanning: full and quick, and the latter lived up to its name by completing a scan in under 1 minute on three different Windows machines. Spyware Terminator provides a rudimentary host intrusion prevention system by building a list of installed, spyware-free programs and only allowing these and other applications identified by you or the developers as known-to-be-safe applications to execute.

The installer provides an integrated version of the popular open source-based WinClamAV antivirus software. WinClamAV is based on the same antivirus engine as the version I'm using on my MacBook and I'm just as comfortable installing and using it on a Windows machine. On my test systems, I ran Spyware Terminator without interference or conflict with AVG 7.5 Professional antivirus (I used this instead of WinClamAV on one PC) and other antispyware software (SpywareGuard, Spybot Search and Destroy). Automatic updates, beginner/advanced/expert configurations and a file analysis utility (to test if a file is suspect-ware) make this a useful antispyware package. A commercial version is available for organizations who want to centrally administer antispyware measures on all machines connected to a network.

Archived at http://www.securityskeptic.com/arc20070501.htm#BlogID612 by Dave Piscitello  

Mon, 12 Jun 2006 00:00:00 00, 534

Everyone knows about and receives spam. Many folks also receive spam on instant messaging (SPIM), IP Telephony (SPIT), and even short messaging services (SPASMS). Now, even the chat channels of popular online games like World of Warcraft are attracting spammers.

So from the original coiner of the acronym SPASMS, I give you SPOG - spam on online games.

I play WoW with my colleagues and my son. It's a nice break from the real world; in WoW, I encounter a much higher percentage of pleasant and generous characters than the real world. I get to whack the heck out of something with impunity. I learn crafts and trades. And until recently, I had a high signal-to-noise ratio on the chat channels. Unsolicited advertising is now invading my leisure world! This is NGAT (not good at all) and I am definitely not ROFL (rolling on the floor laughing).

One way to measure whether something is acknowledged as A Problem is to search to see if someone's invented A Solution. Sure enough, if you Google "World Warcraft spam" you'll find antispam plugins like Spam-Guard Plus, which "monitors say, yell, tell and numbered chat channels for spam and automatically ignores spammers for the rest of the session". (Source squelch - I love it)

Archived at http://www.securityskeptic.com/arc20060601.htm#BlogID534 by Dave Piscitello  

Sun, 26 Feb 2006 00:00:00 00, 507
Anton Chuvakin on Spyware

Colleague Anton Chuvakin posted a solid and up to date article on spyware on O'Reilly's WindowsDevCenter website. In the article, Anton offers a good taxonomy of spyware and an equally good explanation of countermeasures and recovery procedures. Anton reiterates one piece of advice I routinely see in antispyware articles:

"As far as responding to a spyware infection, the only guaranteed 100 percent effective measure a user can take is to rebuild a system. Only this will guarantee removal of all traces of malicious software from a system."

Home users are most accustomed to rebuilding a system from scratch from the OEM recovery disks. This method has the unfortunate consequence of providing you with a clean, default installation. Users must then reinstall applications and reconfigure security settings. In some cases, users may lose configuration data they haven't stored elsewhere, including Internet access settings and (woefully) all those passwords they may have stored using password management software or (yikes!) Notepad.

I recommend that users, home and professional, invest in disk imaging software. When you purchase a new computer, and before you connect it to the Internet and browse the web, install all the software you most commonly use - Office, security software, etc. Configure the security settings you will rely upon as your security baseline. Now make a complete image of your C:\ drive using the imaging software. If you ever have to recover your Windows OS following a spyware or virus infection, reinstall the "recovery image* you created.

In BlogID #298, "Beyond my documents", I recommend disk partitioning. Follow the recommendations in this item, make certain that you back up configuration data and your recovery image on a partition other than C:\, and you'll be able to recover your PC to a more complete and secure state from a spyware infestation. You may have to reinstall some applications you installed after you created your recovery image, but in my experience, you will reduce your effort from several hours to 30-40 minutes. Remember: if you want a clean recovery image, you can't surf the web, read email, transfer files, IM, or use any application that my store or upload cookies, files, scripts or executables on your computer.

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID507 by Dave Piscitello  

Sat, 04 Feb 2006 00:00:00 00, 501
Care and Handling of Credit and Personal Information

Despite the real and present dangers Internet Identity Thefts, Phishing and email scam attacks pose, we cannot afford to overlook measures we can take to protect our identities and credit from attacks in the real (physical) world.

Financial institutions, law enforcement agencies and attorneys recommend a number of ways you can protect against credit card theft and misuse, check fraud, and unintentional disclosure of personal information that can be used by impersonators, extortionists and other malicious or malevolent persons. A short list of some of these follows...

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID501 by Dave Piscitello  

Thu, 05 Jan 2006 00:00:00 00, 488
How do I block ad sites? Let me count the ways...

I received several comments shortly after boasting that I had successfully blocked DoubleClick. There are many ways to block advertisers. I have used cookie blocking, manipulating domain name resolution, and configuring a "blocked site" policy in a firewall.

Blocking Ad cookies is simple and can be done by configuring a browser to block 3rd party cookies, which are often written to your computer by ad tracking companies. Read how to do this in IE 6.0 here. The same feature is available in Firefox via the Cookies tab of the Privacy Option under Tools. Many antispyware software also provide cookie blocking. (An interesting feature of Firefox allows remove a cookie and block a site from ever setting it again).

An advertiser must open connections to its ad server to collect the information it stores in the cookie it has placed on your computer. These connection attempts are programmed into web pages you visit (the site hosting pages with such hidden connections pays the advertiser for its tracking and targeted marketing services, and is called an affiliate). Fortunately, an advertiser must use the DNS to resolve the domain name of its ad server to an IP address. By modifying your PC's hosts file so that ad server names resolve to localhost (, you redirect connection requests to your own PC. These will fail quickly. The rest of the page you visit will load. You may see an error similar to the one I captured in BlogID #487, but this depends on how the page is programmed. Either way, DoubleClick can't collect information from you. You can point domain names of all the ad servers you wish to block to localhost, including DoubleClick, AdTech, Honesty, Profero, ValueClick, and hundreds of others. Find lists of ad server lists here. If you run Active Directory on your network and want to block ad servers uniformly across all client PCs, create a group policy to replace the user host file at logon. This trick may also thwart hijacking spyware that alters the user host file.

You can also block ad sites by including the domain names or IP addresses of the ad servers in a blocked site list at your firewall. Your firewall may drop attempts to connect to the blocked site, or it may return an "unreachable" error. Both will cause an 404/http error (page not found). Firewalls and proxies that block sites can also be configured with custom 404 errors, so an admin can advise users that ad blocking is in effect.

But admins shouldn't expect users to go out of their way to thank them.

Archived at http://www.securityskeptic.com/arc20060101.htm#BlogID488 by Dave Piscitello  

Wed, 21 Dec 2005 00:00:00 00, 484
Online Predators Revealed

Chris Powell has written an eBook that provides a wealth of information and good advice to protect against phishing attacks. The book is written with non-technical Internet users in mind. Written in "plain speak", Online Predators Revealed makes powerful use of interesting analogies and provides plenty of simple-to-follow advice to help even school age children avoid phishing and web spoofing attacks.

Archived at http://www.securityskeptic.com/arc20051201.htm#BlogID484 by Dave Piscitello  

Thu, 13 Oct 2005 00:00:00 00, 467
Ask Dave... Multiple antispyware solutions on the desktop

Spyware was a hot topic at the NWW Security Tour 2005 Q & A sessions. One attendee asked for opinions on running multiple spyware solutions on the desktop. It's pretty common for anti-spyware specialists to recommend that you run more than one antispyware solution in posts to antispyware forums like SpywareInfo.com. The most common recommendation is to run both a reputable commercial solution (Aluria, WebRoot, SunBelt CA eTrust...) alongside a freeware product (typically Spybot Search & Destroy), and complement this with a reputable antivirus solution.

One oft-cited upside of running multiple solutions is to increase breadth of detection: one solution may detect spyware that the other overlooks (or does not yet have a definition to distribute). Another upside is that one solution may perform a more complete removal of a spyware package (i.e., running a 2nd removal tool immediately following the first may result in the detection of a Registry setting that should have been removed for completeness by the 1st tool but had not). The downside is that the products somehow interfere with each other, or even the antivirus solution.

The humorous side, as I mentioned in this SecurityPipeline article, is that "some products point accusing fingers at each other".

Given the number and combinations of antimalware software you could install, I can't absolutely guarantee you'll have no adverse effects by installing more than one antispyware solution. I can only tell you that I've installed combinations of commercial antispyware software alongside Spybot S & D, SpywareBlaster and SpywareGuard on every PC and laptop in my office and have not experienced any ill effects.

Archived at http://www.securityskeptic.com/arc20051001.htm#BlogID467 by Dave Piscitello  

Tue, 11 Oct 2005 00:00:00 00, 466
A credible antispyware software review

Christopher T. Beers has performed a fairly comprehensive review of seven antispyware products for SecurityPipeline.com. In Review: Spyware Detectors, Beers reviews products from CA eTrust, F-Secure, McAfee, Trend Micro, Lavasoft, Sunbelt, and Webroot. The analysis is very thorough. A really clever and useful feature of this review is that it lets the reader adjust the product feature weighing factors. You fire up a Java applet, adjust weight of factors you are most interested in, and the Report Card recalculates the product scores. I've always complained that weighing factors selected in comparative tests weren't useful, and now the tuner's in my hands - cool!

Archived at http://www.securityskeptic.com/arc20051001.htm#BlogID466 by Dave Piscitello  

Sun, 25 Sep 2005 00:00:00 00, 459
Protesting phishing? Before you retaliate...

Once some folks learn to recognize phishing email, they ruminate over the fundamental evil inherent in a phishing attack, and become tempted to protest or retaliate in some way. Resist temptation! Here's why...

Always bear in mind that phishers are criminals. Most sensible people would resist the temptation to stroll into a hideout and ask all the burglars present to stop surveilling your home, because they would justly fear (physical) retaliation. Visiting a phishing web site is essentially the same act. You are putting yourself at the mercy of whatever measures the phisher chooses to employ at his web site to protect himself, or to do more evil. Phishing web sites are not safe neighborhoods. Consider:

  • While you are satisfying your indignation completing a web form with "leave me alone you evil SOB" in all the forms fields, the web site may be uploading a keylogger to your PC.
  • Should you find an "unsubscribe" mailto or link at the phishing web site and add your email address, you are simply confirming to the phisher that your email is actively in use and inviting more spam and phishing email.

Leave protests to automated services like BlueSecurity (bluesecurity.com), report abuse to spam to antispam services like spamcop (spamcop.net), to antispam vendors (Barracuda, Postini, et. al.), or to the FTC (forward spam to UCE at FTC.GOV).

Archived at http://www.securityskeptic.com/arc20050901.htm#BlogID459 by Dave Piscitello  

Wed, 21 Sep 2005 00:00:00 00, 458
Ask Dave - Spyware websites

Time for another question from the Network World Security Tour. I promise this series won't devolve into a text version of StrongBad eMail from HomeStarRunner.com...

How can spyware websites continue to operate once they are discovered?

Once spyware infests a computer, its mission is to spy upon the PC user, or to redirect or force the user to visit an affiliate web site. A second and equally important goal for spyware is to evade detection, so that it can continue its primary mission. Several observations can be made from this behavior.

  • Spyware is stealthware. It's hard for an average user to know which web site installed spyware on his PC; in fact, most spyware-affiliated websites are discovered by antispyware software research teams and antispyware activists who trawl the net in search of offenders.
  • Legal action is not "rapid response. Once spyware-affiliated web sites are discovered, the first response by antispyware software vendors and activists is commonly one of technology and countermeasure (e.g., add the site to a blacklist, analyze the spyware installer sample to obtain a signature and identify removal procedures, etc.). This is in my opinion the right response because it can have a material and immediate affect. Moreover, reporting and "hunting down" spyware-affiliated sites is a time-consuming process of tracking down the operators, determining which if any laws have been broken, and obtaining the cooperation of judicial and law enforcement systems to terminate operations or take the operators into custody is formidable for professionals, and more than the average user can tackle with any hope of success.
  • The numbers work against us.Even if (enforceable) international laws existed, the number of spyware-affiliated web sites is estimated in the hundreds of thousands, making the task of enforcing the laws practically impossible.

As you see, it's not a simple matter of "weak international laws" as was suggested by the tour attendee who submitted this question. Spyware is yet another example of a virtual arms race, and for the moment, we're losing the battle.

Archived at http://www.securityskeptic.com/arc20050901.htm#BlogID458 by Dave Piscitello  

Wed, 24 Aug 2005 00:00:00 00, 446
Blue Security: Your Right to Complain

Blue Security's approach to combatting spam has attracted its fair share of criticism. Blue combines a proactive Do Not Mail Registry with an automated protest campaign against spammers. Most of the criticism is off target. In several articles, it's clear the critics didn't understand the approach; in other editorials, the critic is exercising his Internet-given privilege to flame.

Blue's protest, performed on behalf of its Do Not Mail subscribers, is a tightly controlled email and forms submission response. It's not a DOS-like retaliatory strike at merchant email accounts, web submissions pages, and access circuits as described by several critics. If any of the critics had taken the time to open-mindedly discuss Blue's methodology with their CEO Eran Reshef, they'd have learned that the response is proportionately bounded: one spam, one complaint. Disclosure: I know Eran well. If you spend any meaningful time talking with him, you'd have to wonder how anyone could conclude that this guy would design a service to "go postal" on spammers.

Blue does what individuals can do themselves: find a party responsible for the spam and complain. Blue does this more scientifically, with more coordination, and to a greater scale than individuals can. Blue wants to change the spam value proposition and ROI, which is ultimately the only way we will ever effectively defeat spam. It's reasonable, proportionate, and ethical.

Marcus Ranum recently wrote an excellent editorial debunking the claims that Blue's approach is unethical. You can read it at http://www.ranum.com/security/computer_security/editorials/bluesecurity/. In the editorial, Marcus gives a thoughtful and thorough analysis of Blue's process. Frankly, it should be required reading for folks who have been publicly critical of Blue Security. Marcus also considers criticisms and concerns that have been brought to the public's attention and explains why they are inaccurate, difficult to corroborate, or just plain silly.

The editorial (thankfully) has a good measure of Marcus' wit and keen edge. You really ought to find time to visit the page and read it.

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID446 by Dave Piscitello  

Tue, 09 Aug 2005 00:00:00 00, 440
When It Comes To Anti-Spyware Tools, Accuracy Is Key

My article on assessing antispyware software is available at SecurityPipeline.com. This article debunks the myth that users and administrators can draw useful conclusions regarding the quality of antispyware products based on numbers of spyware detected, and offers a better basis for comparison. The full article can be found here.

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID440 by Dave Piscitello  

Fri, 05 Aug 2005 00:00:00 00, 439
The Top 5 Enterprise Antispyware Requirements

Good enterprise IT organizations appreciate the importance of orderly processes and centralized control. These characteristics are evident in the software, technology, and workflows they employ to manage complex networks. As they deploy currently available technology to combat spyware, enterprise IT departments have not lost sight of the requirements that will help integrate antispyware measures into standard desktop administration. More...

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID439 by Dave Piscitello  

Tue, 02 Aug 2005 00:00:00 00, 436
Phishing presentation

Roger Seeholzer (Adjunct Professor, University of Maryland University College Europe) contacted me some time ago, asking permission to use graphics from Phishing columns I'd written for Loop as resources for a presentation at CSI 2005. I agreed, and he's graciously returned the favor by sending me a copy of his presentation. You can find it here [pdf], and you can find my columns at http://www.securityskeptic.com/phishing.htm

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID436 by Dave Piscitello  

Fri, 01 Jul 2005 00:00:00 00, 424
Answering the Call for Business-Grade Antispyware

I've written a white paper for Aluria Software that explains the threats and issues spyware poses to businesses small and large. The white paper also identifies ten requirements that businesses should consider when evaluating business-suitable antispyware solutions. The paper concludes with an assessment of how Aluria Software's Paladin product meets the requirements I identify.

You can download the white paper in pdf format from Aluria Software.

Archived at http://www.securityskeptic.com/arc20050701.htm#BlogID424 by Dave Piscitello  

Thu, 30 Jun 2005 00:00:00 00, 423
Webcast on business grade anti-spyware

An on-demand version of my presentation on business-grade anti-spyware is available from TecWeb. During this webcast, I offer my list of top ten requirements for businesses seeking to deploy antispyware measures at the desktop. Find the registration page at TechWeb Today.

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID423 by Dave Piscitello  

Thu, 16 Jun 2005 00:00:00 00, 418
IE and Spyware

Channel Viewpoint has posted a re-hash of an article I wrote earlier this year for Watchguard Technologies. Profiting from IE's 'problems' is written to help organizations where business practices impede a switch from Microsoft's built-in browser to an alternative. The article explains how organizations can reduce the spyware threat through central IE policy definition and distribution via Active Directory, and more.

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID418 by Dave Piscitello  

Wed, 04 May 2005 00:00:00 00, 397

Preparing for a security session I moderated at Interop in Las Vegas, I began thinking about the subject of unsolicited messaging. The session, entitled "Is the end in sight, or will SPAM, SPIT and SPIM spin entirely out of control?", seemed to overlook one category of unsolicited messaging that has recently become a burden to cell phone users - spamming short messaging systems.

Colleague Caleb Sima at SPI Dynamics has done several presentations explaining how it's possible to DOS certain cell phones using SMS. In some cases, the subscriber is billed for thousands of unsolicited messages. In others, the phones freeze. And of course there are messages that you simply don't want to receive (The Do Not Call List notwithstanding...).

I realized that I had not seen an unique acronym applied to SMS spam, and one quickly came to mind: SPASMS - Spam Against Short Messaging Systems!

You saw it first here.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID397 by Dave Piscitello  

Thu, 28 Apr 2005 00:00:00 00, 393
Blocking Spyware at the Network Gateway

Layered defenses have become standard procedure for blocking the current generation of security threats. To block against viruses, spam and intruders, organizations deploy countermeasures at the network gateway and again in individual client systems.

Until now, layered defense against spyware was difficult or impossible. There are plenty of desktop anti-spyware products, but almost none that are server-based. But vendors are moving to fill that gap.

Read the rest of this article at SecurityPipeline.com

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID393 by Dave Piscitello  

Thu, 21 Apr 2005 00:00:00 00, 389
Spyware laws should focus on bad acts

Antispyware legislation is doomed to repeat history.

Advertising (adware) lobbyists are succeeding in distracting lawmakers into a debate over whether different kinds of software are - or are not - spyware. Congress has already exempted cookies and web bugs as "not spyware". The banana peel is now accurately positioned to help both Houses slide down the slippery slope every consumer and legitimate business hoped they'd avoid.

Nothing good can come from examining each advertising-enabling technology to determine whether it is or is not spyware. Every software, like every knife in the cutlery drawer, and every gun in the pickup rack (remember where I live) can be used for good or evil.

The web bug and adware exclusions really irritate me. Would these same congressmen allow anyone to access telephone usage records? Even in the post-Patriot Act era and from a Republican congress, this seems unlikely. How different is telephone wiretapping from granting anyone an implicit license to add an "IM-bug" to track every instant message, and why does a law enforcement agent require a court order for the former, but (presumably) not the latter?

Let's pause a minute and re-think whether tracking technology is the problem, or whether the problem is really deception.

With this Congress, perhaps we should use the "guns don't commit murders, people do" approach. Software doesn't commit espionage, ...

Antispyware legislation should be easy to write.

  • If it is installed without notice, consent, or the ability to opt-out, it's spyware.

  • If the intent is to copy and transmit information or monitor behavior without your knowledge or consent, it's spyware.

  • If the notice is not crystal clear in describing intent and copious in identifying what information is to be copied, transmitted, and monitored, it's spyware.

We have precious little control over personal information left.

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID389 by Dave Piscitello  

Thu, 14 Apr 2005 00:00:00 00, 386
Spyware Data's SSI

I received an email from Ken Lloyd of Spywaredata.com asking if I would provide a reciprocal link at my spyware page for his site. I visited the site and found an impressive and well-organized spyware database. Spywaredata has searchable categories for Processes

Linked Service Providers, BHOs, Toolbars, ActiveX, StartUp files and Search Engines. For each spyware, the site identifies the directory path, classID, spyware company, variants, and the number of infestations reported. I asked Ken about these statistics, and he replied as follows:

SSI was created over a year ago to track and subsequently identify the latest Spyware threats actually affecting the Internet. If you are familiar with the new Microsoft's "SpyNet" project that was released a few months ago, SSI performs analogously and has been actively identifying spyware since January 2004. Here is how it works:

User's download our free SSI software and simply double click the program icon. SSI immediately scans your computer for any active spyware then that information is presented to you. At that time you can choose to have this information analyzed against our real-time database. The results are promptly presented to our users with removal instructions. In addition, if we find unknown spyware we can then ask the user if they would like to upload these files for our technicians to take a closer look.

SSI is designed to be extremely easy for our users to understand and use. And with that we have processed over 210,000 scans.

I ran Ken's SSI on three PCs here, all protected by different antispyware software. SSI ran, uploaded the results, launched Internet Explorer (Firefox support is in beta), and presented a results page. SSI detected several unknown file types (e.g., Shavlik's patch management software, HFnetchkPro4, some XP SP2 dlls), and found a copies of ICONSPY and ViewPointMedia. From this page, I visited the "remediation" page, where I found instructions on how to remove the pest. SSI appears to be yet another useful tool to add to the never quite complete antispyware toolkit.

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID386 by Dave Piscitello  

Mon, 11 Apr 2005 00:00:00 00, 383
Anti-phishing measure: User Behavior Modification

Recently, a fellow security professional asked if he could use some of my anti-phishing material in a presentation he was preparing for an upcoming CSI conference. Revisiting the presentation I gave at IPComm 2004, I recalled (and related) a dialog I had with an attendee about an interesting behavior modification program .

The attendee was an IT admin. With the approval of management, IT created a phishing email and hosted its own bogus web site based on a real attack, then emailed every employee in the company. Employees who responded to the link and completed the form received a subsequent email from IT advising them that they had fallen victim to a phishing attack, and they were now obligated complete "remedial therapy", in the form of a 30 minute anti-phishing seminar after close of business (mandatory attendance).

Two weeks later, IT modified and the re-attempted the phishing attack. The numbers of respondents were smaller. Again, employees who fell victim were required to attend a seminar.

IT now repeats the process routinely, and the number of phishing victims is now dramatically reduced.

I wish I could acknowledge the attendee since this is a simple but creative phishing countermeasure, and someone deserves kudos for dreaming it up. I'm just paying it forward...

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID383 by Dave Piscitello  

Fri, 25 Mar 2005 00:00:00 00, 382
A new, nefarious phishing deception technique

Poor PayPal seems to be the most popular lure among phishers these days.

I receive phishing emails almost daily warning me that my PayPal account is under review for security reasons. The most recent spate of these uses HTML in a particularly insidious manner to deceive even those recipients who are savvy enough to be wary of embedded hyperlinks.

Many antiphishing resources, including my own, warn people to make use of the browser status bar to assure that they are visiting the same URL they "see" in an email, by hovering the mouse over the hyperlink in the message, which will show the "real" URL they will visit should they click on the link.

The new phishing method uses HTML form to prevent recipients from availing themselves of this antiphishing method. The raw HTML for this deception is reproduced below:

<FORM target="_blank" ACTION=http://rds.yahoo.com/*http://www.google.com/url METHOD=get>

<INPUT TYPE=HIDDEN NAME=q VALUE=http://rds.yahoo.com/*http://www.securityskeptic.com/%6D%61%6E%75%61%6C/webscr/>

<input type=submit style="color:#000080; border:solid 0px; background:#white;" value=https://www.paypal.com/cgi-bin/webscr?cmd=_update>


I've substituted my own domain name, hhi.corecom.com, where the phisher typically puts his deception web site. What recipients see when this is used follows.

Try hovering over the hyperlink. Nothing happens. Now click it, and you'll reach my 404 Error page - of course, in a phishing email page, you'd end up at a deception web page.

Increasingly, too, PayPal phishers are including many legitimate links to real hyperlinks at PayPal, e.g.,

To receive email notifications in plain text instead of HTML,

update your preferences <a href="https://www.paypal.com/us/PREFS-NOTI" target="_blank" > here</a>

This is all part of selling the deception.

HTML is a really wonderful and powerful language, but it is so easily manipulated for malicious purposes that you should really consider whether you need your email to be "pretty".

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID382 by Dave Piscitello  

Thu, 17 Mar 2005 00:00:00 00, 380
Legislation won't stall the spyware juggernaut

Spyware has reached such epidemic proportions that legislators in the US Congress as well as state legislatures are responding to public outrage by drafting bills to prohibit its distribution, stem abusive practices and protect Internet user privacy. Unfortunately, pending and recently enacted anti-spyware laws are considerably flawed and could actually cause more harm than good. In fact, many experts believe we'd be better off if we'd simply put more effort into enforcing existing laws that prohibit fraud and deceptive business practices. And nearly all knowledgeable parties acknowledge that spyware is a technology problem that requires a technology solution. More...

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID380 by Dave Piscitello  

Wed, 16 Mar 2005 00:00:00 00, 379
PC Pitstop Top 25 Spyware list

Most people who read my blog are familiar with the SANS Top 20 Vulnerability list. Trend Micro, Vexira, and in fact, most antivirus companies host lists of the current most prevalent malware. PC Pitstop hosts a similar list of the Top 25 Spyware.

The rankings are derived from results of approximately 50,000 PCs that visit the site to run a signed ActiveX control spyware scanner (signed, how refreshingly unique!).

PC Pitstop acknowledges that their Top 25 rankings are biased. PC users who visit frequently to test for and remove pests based on the scan results will have less spyware than a randomly sampled population (the site apparently doesn't weed out repeat visitors). Still, it's an interesting list.

I ranted earlier this week about informed consent and disclosure. Legislators ought to study PC Pitstop's privacy policy and the excruciating detail they provide regarding cookie use, information collection and use, and "what they do to your PC". They tell you what they do; how they do it and why; how you can review what they do; and give you the opportunity to decline. Legislation doesn't have to be any more complicated than insisting that advertisers be as diligent as PC Pitstop. Well done...

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID379 by Dave Piscitello  

Sat, 12 Mar 2005 00:00:00 00, 377
Adware, spyware or malware - no matter the name...

Mitch Wagner, my editor at SecurityPipeline.com, wrote an editorial recently about the fuss adware vendors are making over the fact that their ware is really not spyware. Whether their ware spies or not is quite honestly irrelevant to the vast number of users (and SecurityPipeline readers). Choose any name you wish, adware is unsolicited, unwanted, and intrusive. But, for the sake of a blog entry, let's find an appropriate name.

So far, "scumware" is the most generic, appealing, and accurate label. SearchSMB.com defines scumware as "any programming that gets on your computer from Internet sites without your consent and often without your knowledge. Scumware is a general term that encompasses spyware, adware, annoyware, malware, parasiteware, unwelcome cookies, and various forms of viruses".

This definition works for me and everyone I asked today:-)

Why do the FTC, state and federal legislators insist on trying to narrow the definition of spyware, when most of the affected population would prefer to leave it as broad as possible? Users want to know what is being installed on their computers, and for what purpose, and want the right of informed refusal and consent. And make the default selection "refusal". This is exactly the opposite of what occurs today with all scumware.

You want effective legislation? Focus on informed consent. Force software vendors to a pure "opt-in" model, something that never materialized in postal delivery. Identify what constitutes deceptive and unauthorized use and installation of software. Make it illegal to install software without expressed user approval, and make vendors write intelligible terms of use and scope of application. With legislation of this kind, most folks will make intelligent opt-in decisions when asked whether they want Windows update or WhenU. Which ,of course, is exactly what adware vendors are most fearful of.

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID377 by Dave Piscitello  

Wed, 16 Feb 2005 00:00:00 00, 363
Remote BHO Scanner

David Glosser has written an antispyware open source Perl script that runs on a Windows host under ActivePerl and TieRegistry. The Perl script scans the registries of all the computers of a Windows domain for the existence of Browser Helper Objects (BHOs), a common form of spyware. The host computer must be a member of the domain and have remote access privileges to the registries of the computers in the domain.

Remote BHO Scanner doesn't remove spyware. It does provide a report of BHOs discovered in the domain. This is an interesting tool for administrators who might want to routinely scan for BHO infestations. The reports will probably help admins convince more senior management that spyware is indeed a corporate as well as consumer problem.

David indicates that Bleeding Snort has volunteered to host Remote BHO Scanner. David also indicates that more information can be found at http://www.mgmg-interactive.com/mgmg/malware.html.

I've only toyed with this script thus far, but it's a very interesting and different way to tackle a growing spyware problem.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID363 by Dave Piscitello  

Thu, 27 Jan 2005 00:00:00 00, 357
The spyware money trail

Colleague Scott Pinzon referred me to an excellent post describing one frustrated dad's attempt to trace a spyware infestation back to the folks who make money in this nasty business. Read Follow the Money; or, why does my computer keep getting infested with spyware?

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID357 by Dave Piscitello  

Wed, 19 Jan 2005 00:00:00 00, 354
Microsoft's Antispyware Beta

Microsoft began offering free downloads of the beta version of the antispyware software they recently acquired (Giant). I'm a bit late to the review gate, but here's my anecdotal assessment.

The beta only runs on licensed systems. You must run the Microsoft validation agent, which ironically means you must allow ActiveX controls in your IE settings. Frankly, since this is a beta, I question whether Microsoft would have earned more mileage offering the product without qualification. Spyware's a huge problem, and I think they not only missed a major marketing and distribution opportunity but an opportunity to serve the Internet community as well.

Giant had a reputable product before Microsoft acquired it, and while Microsoft may have standardized the look and feel, they seem to have adopted an "ain't broke, don't fix it" approach. The product has the features you should expect from quality antispyware software, and some interesting features I hadn't seen before. Realtime protection monitors dialup, messenger and WiFi activities; changes to Internet safe site lists, winsock lsps, windows services, critical .ini files, as well as shell, scheduler, and TCP/IP changes. Protection from directory trojans, startup, BHO, registry, IE settings, installed component spyware is also present. You can create restore points and schedule full or custom scans.

Microsoft's default security settings are all over the map. Auto-protection against spyware is enabled following installation and reboot. You must run a Setup assistant to enable auto-updates, and you must choose Real-time Security Protection. I would like to see these run by the default.

Memory footprint is modest: two processes, gcasserv.exe and gcasDtserv.exe, are only 12 Megabytes. The UI is clean and intuitive. I like the results reports, which complement the customary threat enumeration, recommended action, and threat level with a sidebar containing the initial paragraphs of a detailed description of any threat detected; an assessment of the risk, and a link for more information.

I configured an infected PC to run a daily autoscan. The initial, full scan of three partitions totalling 20 MB took 20 minutes, about par for other products I've tried (some were faster, others slower).I ran the antispyware beta on a PC with XP SP2 that had been "protected" by the freeware tandem, SpywareGuard and SpywareBlocker for about 2 months. The beta detected two threats (whenusavenow, and the brodcast/DSSagent). This result neither convinces me that Microsoft's product is excellent or that SG and SB are lame, but only reaffirms my conviction that no single antispyware product is up to the task. New spyware seems to be appearing at a pace rivaling spam, not worms, and even Microsoft will have a hard time employing enough software engineers to level the playing field.

Like many antispyware products, Microsoft's beta provides a means for users to upload suspected spyware for analysis. Microsoft offers an opt-out for its Spynet Community. I'm a committed opt-in kinda guy so this annoys me. Probing further, the link to Microsoft's privacy policy regarding Spynet Community explains that Microsoft will explicitly ask for and not disclose personal identifying information to 3rd parties except those who will perform services on Microsoft's behalf (good), but it also indicates that Microsoft will use such information to contact individuals with surveys, product notifications, etc. The policy doesn't identify exactly what information it collects: if only privacy policies from Microsoft were as detailed as its EULA.

Overall, this is a good start for Microsoft. Microsoft claims it intends to provide its customers "with new tools to help protect them from the threat of spyware and other deceptive software" but I am not clear how Microsoft plans to make the tools available. Will this will be a separately priced product, integrated with antivirus (what's the deal there, anyway?) and the Service Pack 2 Security Center?

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID354 by Dave Piscitello  

Tue, 11 Jan 2005 00:00:00 00, 350
How To Keep Spyware Off Your Enterprise Network

Spyware is challenging spam and viruses for the top spot on IT worry lists. Spyware poses considerable threats and risks to enterprise networks and remediation and countermeasures are now being regarded as critical to network security. More...

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID350 by Dave Piscitello  

Mon, 10 Jan 2005 00:00:00 00, 349
DSO Exploit

Data Source Object (DSO) exploit is one of the removal-resistant spyware that I've mentioned in several articles. Despite running Spybot Search and Destroy version 1.3, my son's computer was infected by this because he (OK, I) did not have the correct advanced settings. SupportCave has a page that explains how to remove DSO Exploit with a small executable, DSOstop2, and how to set Spybot Search and Destroy correctly deal with this spyware.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID349 by Dave Piscitello  

Wed, 05 Jan 2005 00:00:00 00, 346
What's the difference between Spyware and Viruses?

The average Internet user has difficulty distinguishing viruses from spyware. SecurityPipeline launched a series on spyware with my article by this title. More...

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID346 by Dave Piscitello  

Thu, 16 Dec 2004 00:00:00 00, 338

Merijn, author of the highly useful helpware, HijackThis, has written another little pearl called BHOList.

BHOList scans your PC for installed Browser Helper Objects and Toolbars, and distinguishes legitimate BHOs from evil ones. For each BHO it discovers, BHOList identifies the ClassID, filename, owner, and a hyperlink to the software producer.

BHOList also provides a simple frontend utility to a list of Browser Helper Objects and Toolbars maintained by Tony Klein, and will download all the known and categorized BHOs maintained at several antispyware activist sites.

Find BHOList at http://www.spywareinfo.com/~merijn/downloads.html, along with HijackThis and a handful of equally helpful software developed by this remarkable young man from the Netherlands.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID338 by Dave Piscitello  

Fri, 10 Dec 2004 00:00:00 00, 336
XoftSpy: one company's deceptive marketing practices

Kephyr Bazooka is one of the respected free spyware scanners. Using Google sponsored links and carefully contrived META Description and Keyword tags, Vendors of the suspicious XoftSpy spyware remover infringe on and plays off Bazooka's good name and reputation.

I searched "Bazooka spyware" at Google, and the first response to this query is an advertisement page at one of the XoftSpy online shop domains. The page says, "Bazooka spyware scanner just detects spyware and does not remove it. An excellent alternative is ..."

Like most deceptive advertising, there is a half-truth here. Bazooka is indeed only a scanner. But this doesn't mean that Xoftspy is a better scanner. Of course this page doesn't claim that Xoftspy is a better scanner.

Manipulating search query replies is something I expect from porn sites, not security companies. All the genuinely useful work Kephyr Labs invested in Bazooka scanner is undermined by misleading META tagging on a commercial product's page. For the record, the META tags on the offending page are:

META NAME ="description" CONTENT="Bazooka is a spyware and adware scanner that detects spyware and adware on your system. It does not remove it. XoftSpy both detects and removes spyware and adware."

META NAME ="keywords" CONTENT="bazooka spyware, killer,destroyer,remover,eliminator,eraser"

I'm singling out XoftSpy here, but at least a half-dozen other companies pull this same nonsense with Bazooka, AdAware, and SpyBot Search and Destroy.

PLEASE don't support these folks. The degree to which they undermine the trust we place in search engines is a source of embarrassment for the entire security community.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID336 by Dave Piscitello  

Tue, 07 Dec 2004 00:00:00 00, 335
Spyware: Your worst nightmare

You think viruses, worms, blended threats and spam are bad? Spyware is worse. More...

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID335 by Dave Piscitello  

Fri, 12 Nov 2004 00:00:00 00, 328
No Click Phishing Attack

One sure way to avoid identity theft is to resist clicking on hyperlinks embedded in potential phishing email addresses you receive. Now, even that "best practice" appears to be in question. Liberty Identity Theft Services and others report a no-click (zero-click) phishing attack, where simply opening an email message is enough to cause a malicious script to be executed.

The attack makes use of "preview windows" in email clients - yes, that convenient little window pane that shows you part of an email just became a window *pain*.

The script combines spyware and phishing techniques. From the spyware toolkit, the script employs browser hijacking: it modifies bookmarks (favorites) and redirects users to a spoofed web site. The site where the user is redirected is your basic phishing web site, i.e., one that presents what appears to be a legitimate request for personal, account and credit credit card information. (If you're unfamiliar with phishing in general, and what a phishing web site look like, read Anatomy of a Phishing Expedition.)

This attack might seem a bit more subtle than typical browser hijacks - users might not visit the modified bookmark and so may be unaware of the change - but phishing web sites don't remain online very long, so there's still a small window of opportunity. If you are running anti-spyware software such as SpywareGuard, you should be protected against browser hijacking. If you don't have browser hijack protection, you might try disabling the email preview feature on your email client. I suggest you consider one of the anti-spyware solutions I recommend here.

What a pane... er... pain.

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID328 by Dave Piscitello  

Wed, 03 Nov 2004 00:00:00 00, 325
Why do spammers spam?

During an NGN 2004 Boston session, Antispam: analyzing the alternatives, Paul Judge of CipherTrust offered an intriguingly simply root cause analysis of why spammers are motivated to spam:

"That’s where the money is..." More...

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID325 by Dave Piscitello  

Mon, 04 Oct 2004 00:00:00 00, 313
You call it spyware, I call it lieware

I was asked by Watchguard Wire to comment on the deceptive marketing practices certain "anti spyware" products employ to increase sales. As part of accumulating resources for my Spyware Resources page, I've installed and tested more than a dozen purported anti-spyware packages to find which are most effective. The deceptive practices of more than a few "anti" spyware vendors are pretty ugly. Read my full commentary at Watchguard Wire.

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID313 by Dave Piscitello  

Mon, 27 Sep 2004 00:00:00 00, 309
Antivirus and antisypware must be the same ware

Every network client must have antivirus software. We've been told so for years, and the message is finally sinking in. Network admission and integrity control are poised to enforce it today in enterrprise networks and hopefully soon for public Internet access as well. Concern over spyware is increasing so rapidly that I fully expect that antispyware, too, will be a prerequisite for network logon. The problem I foresee is that, if we instrument poorly, network admission will end up like the queues at customs and immigration services: long, slow, tedious, and frustrating. More...

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID309 by Dave Piscitello  

Sun, 26 Sep 2004 00:00:00 00, 310
CoolWebSearch Chronicles

CoolWebSearch is one of the more insidious and treacherous browser hijacking nuisance-ware you will ever have the misfortune to experience. The miscreants behind this crudware have created a truly nasty beast. PestPatrol's Spyware Encyclopedia identifies over 70 CWS variants. They are resistant to detection and removal, and while present, they turn your "web experience" into a visit to hell.

The CoolWebSearch Chronicles offers a fascinating chronology of CWS through April 2004 (39 variants). It's an entertaining and valuable read for anyone who is trying to understand spyware.

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID310 by Dave Piscitello  

Sun, 29 Aug 2004 00:00:00 00, 300
Phishing and Fraud Prevention Resources

My Loop columns on phishing and spoof email are frequently visited. I've replied individually to enough emails about phishing to conclude I really ought to pull my resources together and make them available online. Visit phishing resources.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID300 by Dave Piscitello  

Fri, 27 Aug 2004 00:00:00 00, 299
Spyware: your worst nightmare

You think viruses, worms, blended threats and spam are bad? Spyware is worse...

Spyware is software - a program file, a browser helper object, or a dynamic link library, for example - installed on your computer, without your knowledge and permission. Sometimes called adware, nastyware, crapware, scumware, and worse, it's all aggravating, and intrusive. It's enough to turn pacifists into violent activists. In some respects, spyware evokes the same kinds of emotional reactions as a Republican National Convention.

I've been investigating spyware for a series of articles I wrote for Watchguard and Loop. Much of the spyware out there is unsolicited advertising: marketing invertebrates monitor your web browsing and direct advertising to you based on the sites you've visited. The former is annoying and maybe embarrassing: you can't begin to imagine what that one innocent visit to hotgirlsofcleveland.com does to your Internet experience.

I mention in all my articles that adware "data mining" also poses a privacy issue to individuals and a vector for sensitive information disclosure for businesses.

Then there's the "And you thought it was YOUR PC" problem. Beyond relentless advertising, spyware and adware often hijack a computer browser, driving users to alternative search sites, or even to competitors of e-merchant sites users are trying to visit. My son's PC was infected with a particularly nasty, blended threat of a spyware/adware package. It seized his browser and hosed his Google toolbar. It took any search he attempted and redirected him to some deceptive practices search site. It also warned him that he had spyware (how kind), and invited him to use Spyware Stormer (which is a rogue antispyware, BTW).

I also explain how spyware can be as malicious as trojans incorporated into a blended threat attack. Keyloggers may be installed as part of the package. Spyware may turn ugly on you. Try to remove it, and spyware may self-destruct and leave your Registry, browser configuration, and DLLs damaged beyond recovery. My son learned a "life lesson" last week, when we reinstalled Win2K Pro on his PC. That life lesson happens to include "Play with P2P, die with P2P"...

Antispyware appears to be abundant. but I'm sorry to say that deceptive practices and crapware taint the antispyware product market. Rogue spyware may offer free scans, but many produce long lists of false positives to frighten you into purchasing the product. Others, as I mentioned above, blast you with popups and other forms of unsolicited and misleading advertising: isn't this what you're trying to eliminate?

I've created a spyware resources page here. Please use it! You'll find dozens of articles explaining spyware and recommending removal and protection strategies. You'll find my personal recommendations for combating spyware here as well.

This page is an active work in progress. I welcome you to comment here or at Loop and contribute to the list of resources I've begun.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID299 by Dave Piscitello  

Sat, 31 Jul 2004 00:00:00 00, 287
Catching Phish

Mich Kabay posted a helpful column for people interested in understanding how to recognize phishing. Catching Phish describes a recent phishing scam, and is a nice compliment to my columns at LOOP, Recognizing and responding to spoof email messages and Anatomy of a phishing expedition.

Archived at http://www.securityskeptic.com/arc20040701.htm#BlogID287 by Dave Piscitello  

Thu, 01 Jul 2004 00:00:00 00, 278
SPAM decline, worm increase

I've seen a definite drop in the spam delivered to my email accounts. Over the past two weeks, my Postini service has blocked 98.3% of spam, approximately 30 per day. I last spot-checked my spam filter efficacy by sampling April 3 through 16. At the time, Postini correctly detected and blocked 4858 spam email, which is well over 300 per day! What accounts for the order of magnitude decrease?

At the same time, I'm getting many more email messages with viruses attached: approximately 10 per day are blocked by my ISPs antivirus gateway, but I've also received and blocked about 2-3 per day at my desktop.

How do these compare with your spam and worm figures?

Archived at http://www.securityskeptic.com/arc20040701.htm#BlogID278 by Dave Piscitello  

Fri, 25 Jun 2004 00:00:00 00, 273
Spam and identity theft prove a costly tandem

Everyone who hates spam has to be delighted over the conviction and sentencing of Howard Carmack, the Buffalo Spammer. An Erie County, NY judge sentenced this low-life to 3.5-7 years for identity theft. How do I know he's a low-life? Well, the judge whacked him with a maximum sentence because he had prior felony convictions (fraud, money order forgery). Howard will keep busy in prison working to pay part of the $16 million judgment awarded to Earthlink in an earlier civil suit.

So how's your spam count this month? Mine's down. While I'm not optimistic that these rulings will slow spam over the long term, it's nice to simply see less for a change. It's also nice to see justice served.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID273 by Dave Piscitello  

Wed, 26 May 2004 00:00:00 00, 256
Legislation and spyware

Before legislators (e.g., the FTC) can issue a regulation prohibiting a behavior or act, they must define that behavior and act. Many security professionals and attorneys worry that defining the behaviors and acts that constitute spam and spyware will provide "operating space" for spammers, trackers, pests, and spies. Specifically, if we define what constitutes inappropriate (sneaky) commercial applications of software delivery; secret information collection (tracking); and what Steve DelBianco aptly calls resisting removal behavior in software, we also define a sandbox in which developers can create intrusive applications that look and feel like spyware, and cookies that track user behavior, but operate within the definition of the law.

As DelBianco correctly asserts in his column, spyware is the quintessential 21st century bad business practice. He speculates, and I concur, that additional legislation may do more harm, where enforcement of existing laws prohibiting unfair and deceptive business practices may do more good. Bad business behavior is bad whether in the virtual or real world.

In the real world, we invite and consent to the installation of satellite dishes, cable TV and telephone connections and wiring in our homes and offices. We consent to security monitoring by a certified alarm company. Most of us would be outraged to find that surveillance cameras, recording devices, and microphones to collect information regarding our lifestyles would accompany the installation of any of these services. We expect to maintain control over who comes and goes in our homes and offices, and what they do while they are present on our property. It's not unreasonable for us to seek the same control over our computers, handhelds, and mobile phones. Spyware strips us of such controls.

The issue runs deeper than whether a cookie or music player application records the web pages I've visited and music I choose. It's a matter of trust versus violation of trust. Distinguishing spyware from adware from acceptable cookie and tracking ware isn't nearly so much a matter of technology as it is of trust.

I believe that legitimate adware, supportware, cookie, and tracking technology should provide:

  • notice of installation;

  • a description of all the activities it will perform and anticipated resource utilization;

  • a description of the kinds of advertisements it will display, and manner of display;

  • full disclosure of any information it will collect, the purpose of collection, and the parties to whom the information will be disclosed;

  • a local log function that provides the user with the means to corroborate these claims; and

  • a clean, non-resistant removal procedure.

Most importantly, all software should have opt-in installation and features selection facilities.

For example, a good business offers a free version of a media player with the following conditions stated during installation: (1) the user accepts entertainment-oriented ads; (2) the user agrees to the company gathering information limited to music titles and artists, movie titles, directors, producers, and actors, and play frequency; and (3) the company is permitted to sell this information, along with the user's name and address, to entertainment companies for the purpose of direct advertising. If the user declines (opts out), the media player will not install unless the user pays for and registers the product. The company gets something from you, and you get a media player from the company.

Notice that the music player is not "free"; it's using your CPU, memory, and bandwidth to profit by information it collects and ads it presents to you. Consider this real world analogy, illustrating a bad business practice. You purchase aspirin at Jocko's drug store, and have it delivered. Jocko's delivery van arrives, and three workers mount a neon "End Erectile Dysfunction now: buy vi@gr@ at Jocko's Drugstore" sign on your bedroom window, then use your electricity to power the darn thing. Meanwhile, Jocko's delivery boy rifles through your medicine cabinet, recording all your prescriptions. This is an unacceptable business practice. Many spywarez operate in exactly this manner. In the real world, we'd contact the Better Business Bureau or perhaps the police, and haul Jocko to court. We'd take advantage of existing laws and similar codes of practice enforced in countries throughout the world to hold Jocko accountable for unfair and deceptive business practices.

Before we begin writing new laws for spyware, let's see how much of the spyware cesspool we can clean up applying the laws we already have.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID256 by Dave Piscitello  

Fri, 07 May 2004 00:00:00 00, 247
Anatomy of a Phishing Expedition

Phishing must be a hot topic. Gartner says it is so it must be so: you know how much stock I put in what Gartner says.

No matter. Phishing is a pretty serious problem, but it really is an ailment we can manage with education rather than technology. I've written a complementary article to the Recognizing and responding to spoof email messages I wrote for LOOP earlier this week. Read Anatomy of a Phishing Expedition.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID247 by Dave Piscitello  

Tue, 04 May 2004 00:00:00 00, 244
Recognizing and responding to spoof email messages

I recently received a suspicious email, purportedly from eBay, requesting that I log into a web page to verify my account information. If you're curious how I and my partner, Lisa Phifer, examine email messages to determine if they are valid or bogus, read my Loop column, Recognizing and responding to spoof email messages.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID244 by Dave Piscitello  

Fri, 23 Apr 2004 00:00:00 00, 236
Antispam: Show me the gateway!

I've written an editorial for LOOP describing my further conclusions regarding the value of antispam gateways versus antispam desktop products.

The article is posted at loop.interop.com.

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID236 by Dave Piscitello  

Tue, 20 Apr 2004 00:00:00 00, 232
Antispam: How complementary are Gateway and Desktop Measures?

I tracked spam arrival and disposition over a two-week period (April 3 - 16). I was curious whether I could increase the efficacy of my antispam measures by complementing the Postini service my ISP offers with a desktop antispam product.

My Postini configuration is basically the default settings. The service works well enough for me that I've only had to add 5 whitelist addresses, and I don't bother at all with the blacklist. I randomly chose a desktop antispam plug-in for Eudora and left it, too, at default settings.

From April 3 through 16, Postini correctly detected and blocked 4858 out of a total of 4906 spam messages, an admirable 99% efficiency. Postini incorrectly blocked 10 messages as spam. Of these, four were from the same, legitimate maillist source, and two were from friends with a propensity for profanity. Two whitelist entries would make Postini outstanding for my spam handling.

Of the 48 spam that were delivered to my desktop, only 26 were blocked by the antispam product I selected. Granted, I did not tune the product at all, but the results are still disappointing. Even more disappointing is how dependent on whitelisting the desktop antispam product was. Until I added three maillist addresses, ~50 legitimate messages per day were tagged as spam. Even with the whitelist entries, Antispam/MAX tagged an additional 35 messages as spam.

There's no commercial market for this kind of user involvement, especially if users can rely on an antispam gateway for highly dependable spam processing. I'll stick with Postini and uninstall the plug-in.

My wife has a Yahoo! pop3 account, and so cannot make use of my Postini service. To help her manage spam, I've since looked at into two other products: SpamAssassion for Windows, and Mailwasher. SpamAssassion is a very popular and highly regarded open source tool, and my *NIX friends recommend it. But anything that requires the average consumer to install PERL and compile is just too much trouble no matter how simple the configuration might be.

Mailwasher is more intuitive, according to my non-technical wife. Mailwasher checks email while it's at the server. It fetches mail headers, and you select any or all of three dispositions (Delete, Bounce, Blacklist). If you are uncertain, you can preview the message. Click "Process Mail" and it acts according to the dispositions you selected. Click "Mail Program" and it launches the default mail client. You right-mouse click to add email addresses to your white list. If you are a gearhead, you can go fiddle with options, but the KISS principle seems to work just fine here. We'll use Mailwasher for a few weeks and report more again.

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID232 by Dave Piscitello  

Wed, 07 Apr 2004 00:00:00 00, 229
Unsolicited commercial mail - from antispam vendors

This is a disturbing trend. I've received three email messages recently from companies offering an antispam solution. What's amusing is that all three messages made it through my ISPs Antispam gateway and the desktop Antispam plug-in I'm testing in Eudora. So the question is, "if the folks who write Antispam products are clever enough to mask their messages, what faith should we have that any product will ever be "five nines" effective?

Perhaps I'm overreacting: Death2SPAM may have purchased my email address from a site that shills email addresses for a living.

I'm ambivalent about Antispam legislation, since I don't think such laws are enforceable. I'd be satisfied with a default "opt out" policy at every web presence that collects an email address.

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID229 by Dave Piscitello  

Wed, 03 Dec 2003 00:00:00 00, 174

More of the same. Yet another game of cat-and-mouse.

Just prior to Comdex, I was dismayed that the efficiency of my antispam measures had seemingly collapsed. Spammers were obfuscating words by using special characters, as in p0rn.graphy and fr33 s3x.

Pornography and other undesirable email was slipping through my ISP's spam gateway at an alarming rate.

What's alarming?

I receive 300-400 spam messages per day, a consequence of having my email associated with so many web pages where I've published articles online. Until late October, my spam gateway was catching over 97% of the spam (I know this because every 2 weeks, I visit my quarantine area, and I keep a rough count of spam that arrives, and calculate "efficacy"). Suddenly, I'm receiving 30 or so spam per day, which is a drop in efficiency of nearly 10%.

Two weeks and a gateway update from Postini later, my spam gateway efficiency is at 97%.

Cat and mouse, or chess if you choose.

Spammers analyze how antispam software is detecting their activity, and adjust their techniques accordingly. Antispam software vendors study the new "attack" and adjust accordingly.

So... are both sides making enough money for this to go on ad infinitum?

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID174 by Dave Piscitello  

Tue, 18 Nov 2003 00:00:00 00, 166
Anti-SPAM, DDOS Prevention, ... - Can't we do better than react?

Dr. Paul Judge posted a very interesting view about SPAM at ComDex Loop, The Ins and Outs of SPAM Defense.

Does anyone find it frustrating that we can only react to SPAM and not block it at the source? Like DOS attacks and network level probes, we are completely hamstrung by our inability to enforce and validate traffic sources: at the IP address level as well as the application level, we are too willing to deal with "garbage in" rather than isolating sources and pruning/blocking them.

Yes, source (address) validation is a very difficult problem. But if we choose to ignore it or concede it's hopeless, then we will forever be locked in a game of network cat and mouse.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID166 by Dave Piscitello